Security risk running pfSense as VM

  • Hi there!

    I'm planning to buy an Alix 2d19 board to run my firewall and routing capabilities on it, however being a student I'm on budget contraints and as temporary solution I need to sell my DD-WRT router(for the money) and run pfSense in a VM. I have 3 NICs and I'm planning to run a VM bridged with eth2(WAN) and eth1(LAN), eth0 would be used for the host(internet access). My plan is like this:

    eth2(ipv6 disabled, autoconfiguration disabled, host pc doesn't have an ip from wan, just sitting there to provide a "channel" for the VM WAN interface[different MAC because it's bridged] ) has the WAN cable plugged in.
    eth1 is the LAN interface of pfSense.
    eth0 is the LAN interface of the host

    –-WAN cable--->eth2----pfSense authentificates over PPPoE using another MAC with the ISP and routes internet to eht1  |------eth1 cable goes into switch----> | ----another cable comes from switch, goes into eth0----->|host get it's LAN ip provided by pfsense and can access internet|

    My question is how big the security risk is in this setup?

    How can my system be exploited from the WAN(eth2) side?

    How can I harden the system to provide as much security as possible in this setup?(Ubuntu 9.10)

    Thank you in advance for any input provided,
    Best Regards

  • Have you read the various existing threads on the subject? They cover it effectively and there's little point in re-hashing it all again, and again, and again ;)

    In summary:

    1. You've introduced added complexity, which increases the security risk
    2. Any vulnerabilities in the virtual platform can be exploited, in addition to those in pfSense and those in the underlying host's network stack (and probably other places too)

    You can start improving security by ensuring you're up to date with all updates and patches. You're already 2 major releases of Ubuntu behind (and 11.04 is due shortly). At the very least you need to move to 10.04 LTS. You also need to ensure that you're chosen virtual platform is kept fully up to date at all times.

  • Thank you for your reply!

    I did read the existing threads on the subject, but I didn't found anything specific for my setup.

    I know that one attack vector would be to exploit the driver and execute arbitrary code on the host, but I will use my pfSense WAN MAC not with a typical Virtualbox MAC. I will change it in an valid MAC that a hardware vendor uses it on valid hardware. ( So this way an typical attacker wouldn't consider trying this attack vector )

    Besides exploiting the driver of virtualbox, how could somebody have an attack vector on a machine that doesn't have an IP address?
    Please if you know similar and other attack vectors let me know to prepare for these situations ( My only option is to sell the router, so as an temporary solution I HAVE to run pfSense in VM).

    All internet traffic from the host is going through the pfSense VM, so it will decrease the potential attack vectors from other applications running on the host. ( Default outbound policy will be "DENY if not otherwise specified" )

    About the host OS, I'm waiting for Ubuntu 11.04 to see how the performance is on my machine( pretty old Athlon XP 2600+ ) and depending on that I will choose between 11.04 or Debian 6.

    Best Regards

  • Your host's driver is still involved, since it has to for Virtualbox to use the interface. Then Virtualbox is involved and finally the guest (pfSense in this case). If somebody finds an exploit in either the host or Virtualbox that can be exploited remotely then they can bypass pfSense.

    It's all about risk management - you have to decide if the risk is worth the benefits. Is the extra complexity over just running IP Tables worth the features that pfSense brings, and the increase in risk?